Security Now 311
Topic: Anatomy of a Security Mistake
Recorded: July 27, 2011
Published: July 27, 2011
Security Now 311: Anatomy of a Security Mistake
News & Errata
- Apple iOS updated to v4.3.5, fixes a certificate issues.
- a new Mac tool from Passware (cost $995), that gives access to the whole the Mac system through a firewire connection (Firewire has DMA access to ALL system resources).
- Apple Battery Hack: default password in battery controller firmware can be used to change voltage data to kill batteries by blocking cell charging.
Happy but confused, SpinRite presented a Red screen with an error code, but rebooting and restarting SpinRite it went all OK
Anatomy of a Security Mistake
Introduction to Signed/Unsigned number representation in Binary
Positive numbers are represented as is in binary, for example, these numbers in decimal becomes
Negative numbers are represented by taking the positive number, inverting all bits, then adding one, like this:
and so on
Introduction to blowfish encryption
Blowfish works 1 byte (8 bits) at a time, but the register used is a 32bit register, so the developer used 1 32bit register to store 4 bytes at a time. This is done by adding 1 byte/8 bits to the register, shifting left by 8 bits, then repeat another 3 times. Like this you end up by having 4 byte (32 bits) in 1 32 bit register, which is all correct. The adding by itself is done by doing an OR operation between the 32bit register and the byte contents.
|Empty the register||00000000 00000000 00000000 00000000|
|OR'ing first byte||01010101||00000000 00000000 00000000 01010101|
|shift left by 8 bits||00000000 00000000 01010101 00000000|
|OR'ing second byte||10101010||00000000 00000000 01010101 10101010|
|shift left by 8 bits||00000000 01010101 10101010 00000000|
|OR'ing third byte||11001100||00000000 01010101 10101010 11001100|
|shift left by 8 bits||01010101 10101010 11001100 00000000|
|OR'ing forth byte||00110011||01010101 10101010 11001100 00110011|
Where is the problem?
The algorithm was coded in C language, and the register is defined as a 32bit unsigned, while the 1 byte is defined as just "char", and in C language the "char" is considered as a signed value.
When the compiler sees the OR operation between a 32 bit unsigned value and a 8 bit signed value, it "pads" the 8 bits value to make 32 bits, with an operation called sign extension. What Sign extension does is that it takes the highest bit (left-most) and pads its value to the rest of the bits. For example:
|Decimal value||8 bit register||32 bit extended register|
|3||00000011||00000000 00000000 00000000 00000011|
|-3||11111101||11111111 11111111 11111111 11111101|
This is all correct in normal use, EXCEPT that ORing 1 to the register, all the resulting register is wiped out with 1. In the Blowfish case, the first 3 bytes gets wiped out and only every 4th byte is maintained.
For example, the last step in the blowfish becomes:
|Initial Register status for step 4||01010101 10101010 11001100 00000000|
|1 Byte value, after extension||11010111||11111111 11111111 11111111 11010111|
|ORing char to register||11111111 11111111 11111111 11010111|
|Final register value||11111111 11111111 11111111 11010111|
The fix of this bug in the C code of the algorithm was simply by defining the char as unsigned char
- Edited by: Tech_Engineer
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|